NIS2 – in anticipation of October 2024…
The NIS Directive is a step in the right direction for cybersecurity – therefore for our data and
the services we use. Because the most important is to start. And to improve, because the NIS directive
left quite a few things to be still covered. That is why it was decided to introduce NIS2 – covering a wider
range of entities and introducing more stringent security requirements.
“The aim of the Directive should be to ensure a high level of accountability for cybersecurity risk
management measures and incident reporting obligations at the level of key and important entities.”
The key deadline is October 2024, when national legislators in the EU will have to put in place enforceable rules.
The main extensions to NIS1 include:
a. More entities covered by the Directive: NIS2 applies to a wider range of entities than NIS1, including significant and important entities. Key actors are those that provide services that are critical to society, such as energy, transport, and healthcare. Important actors are those that play a significant role in the economy or society, such as financial institutions, telecommunications companies or postal services.
b. Stricter security requirements: mainly in the areas of risk management, incident detection and response, and information security awareness and training activities.
c. Incident reporting: NIS2 requires organizations to report cybersecurity incidents to the authorities. The focus is on reporting the Indicator’s of Compromise and all the data that allows to standardize and mitigate a given attack scenario.
d. Penalties: up to €10 million or 2% of the entity’s total turnover, whichever is higher, for “Significant Entities” (€7 million or 1.4% of global turnover for “Significant Entities”). It is clear that legislators are following the example of the GDPR directive, which has significantly improved the quality of data confidentiality mechanisms.
Below we present a collection of the most interesting, from our point of view, points of the NIS2 Directorship:
- General:
a. paragraph 89. Key and important entities should adopt a wide range of basic cyber hygiene practices, such as:
I. Zero Trust principles
II. Software Updates
III. Proper configuration of devices
IV. Network segmentation
V. Identity and access management
VI. user awareness (training for employees on cyber threats, phishing or social
engineering techniques)
In order to improve their cybersecurity posture, these entities should:
- assess your own cybersecurity capabilities
- seek to integrate technologies that improve cybersecurity, such as systems based on artificial intelligence or machine learning
NIS2 explicitly mentions what basic cyber hygiene measures are and what necessary analyses (capability assessment) and strategy elements (technology integration) need to be implemented.
- paragraph 101. “(…) Indicators such as the extent of the impact on the operation of the service, the duration of the incident or the number of affected service users can play an important role in determining whether the operational disruption to the service is severe.”
NIS2 lists which parameters will be important when assessing the extent of the disturbance.
2. Article 6 – Definitions
a. ‘potential cybersecurity event’ means an event that may have compromised the
availability, authenticity, integrity or confidentiality of data stored, transmitted or
processed data or services offered by or accessible through networks and information
systems and systems, but which has been prevented or has not occurred;
b. ‘incident’ means an event that compromises the availability, authenticity, integrity or
confidentiality of data stored, transmitted or processed or services offered by or
accessible through networks and information systems;
c. ‘large-scale cybersecurity incident’ means an incident that causes disruption beyond the
capacity of a Member State to respond to the incident or that has a significant impact in
two or more Member States;
d.’incident response’ means the activities and procedures designed to prevent, detect,
analyze, mitigate or respond to an incident and restore normal operations;
e. ‘risk’ means the possibility of loss or disruption caused by an incident, expressed as the
resultant of the magnitude of such loss or disruption and the likelihood of such an
incident occurring;
Some of the more interesting definitions of artifacts and events in the cybersecurity management
process.
3. Article 21 Section 2 – Risk management measures – ‘shall be based on an all-hazard approach
aimed at protecting networks and information systems and the physical environment of these
systems from incidents and shall include at least the following elements’:
a. Risk analysis and security policy of IT systems
b. Incident Response procedure
c. Business continuity procedures (e.g. managing backups and restoring normal operations
after an emergency) and crisis management;
d. Supply chain security policy (including security-related aspects of the relationship
between each entity and its direct suppliers or service providers)
e. Security policies in the process of acquiring, developing and maintaining networks and
information systems (including vulnerability management and disclosure)
f. Policies and procedures to assess the effectiveness of cybersecurity risk management
measures;
g. Basic Cyber Hygiene Practices and Cybersecurity Training;
h. Policies and procedures for the use of cryptography and encryption
i. Human Resources Security, Access Control, and Asset Management Policies
j. Procedures for applying multi-factor or continuous authentication, secure voice, text,
and video calls, and secure communications systems within the entity in emergency
situations.
Again, NIS2 lists by name all the documents necessary to achieve the level of risk management
required by the directive (of course, assuming that they are used based on understanding ).
4. Article 32(7) – Factors to be taken into account in assessing the severity of incidents and
activities carried out in the context of breaches of the NIS2 Directive:
“;(…) competent authorities shall respect the rights of the defence and shall take into account
the circumstances of each individual case and shall take due account of at least:
a. The gravity of the infringement and the significance of the infringement is to be
considered, with the following infringements to be considered as serious in each case,
m.in:
I. repeated violations;;
II. failure to report or rectify major incidents;
III. failure to remedy deficiencies in accordance with binding orders of competent
authorities;
IV. obstructing audits or monitoring activities ordered by a competent authority
after a breach has been identified;
V. providing false or grossly inaccurate information with regard to cybersecurity
risk management measures or incident reporting obligations laid down in
Articles 21 and 23;
b. the duration of the breach;
c. material previous infringements by the entity concerned;
d. property and non-material damage caused, including financial or economic losses,
impact on other services, and the number of users affected by the incident;
e. the intentional or unintentional nature of the act on the part of the infringer;
f. measures taken by the entity to prevent or limit material and non-material damage;
g. the use of approved codes of conduct or approved certification mechanisms;
h. the degree of cooperation between the natural or legal persons responsible and the
competent authorities.
If it has “happened” – NIS2 provides clear guidance on what factors will allow you to minimise
potential penalties from enforcement authorities.
5. Article 35(1). Breaches involving a personal data breach
“If, during supervision or enforcement, competent authorities become aware that a breach by a
key or important entity of the obligations set out in Articles 21 and 23 of this Directive may give
rise to a personal data breach as defined in point (12) of Article 4 of Regulation (EU) 2016/679
which is notifiable under Article 33 of that Regulation, shall inform the supervisory authorities
referred to in Articles 55 and 56 of that Regulation without undue delay.”
If you have failed to comply with the NIS2 requirements and due to an inadequate level of IT
security, there has been an incident involving personal data – > a separate investigation (and
potentially a penalty) from the authorities dealing with the GDPR.
6. Appendix 1 & 2 – Are you covered by NIS2?
a. Annex 1: Key Sectors
b. Annex 2: Important sectors
ARE YOU AFRAID OF THE DARK?
We find the NIS2 Directive as a whole fascinating read and we certainly recommend it for long evenings.
In our article, we have taken the liberty of detailing these provisions of the Act…
Which specifically mention specific processes/activities/technologies.
Which we can help you implement.
2024 is the year of the implementation of NIS2 in organizations and 2025 will be welcomed with full
NIS2 compliance. Get started now and October 2024 will be a date like any other!